Cloud Custodian Policies not working for EC2 and S3

Question

I am trying to write Cloud custodian policies but I couldn't find a straight up rules filters for this in the official docs.

I am writing policies to terminate all internet facing ec2 instances and public S3 buckets.

Can someone help me as where am going wrong?

Priyaj · Answer 1 · Oct 30, 2018

policies: - name: find-ec2-on-public-subnets resource: ec2 filters: - type: value key: "SubnetId" op: in value: - subnet-d1e4xxxxx - subnet-d1e4xxxxx actions: - stop - name: s3-global-access resource: s3 filters: - type: global-grants actions: - type: delete-global-grants grantees: - "http://acs.amazonaws.com/groups/global/AllUsers" - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"

answered Oct 30, 2018 by Priyaj
• 58,090 points

score +1 · Answer 2 · Mar 1, 2019

There are no straight up examples. Best to run a policy to capture resources of what you are looking for and build a filter based upon what you find in the resources.json file. Below is some sample code to get you started along your path. Try running the custodian policy with no filter defined, just the resource then look at the resources.json contents..

policies:

  - name: purge-lambda-after-7-days

    resource: lambda

    filters:

    - type: value

      value: ec2

      key: FunctionName

      value_type: normalize

     op: not_in

Example resources.json file;

[

  {

    "FunctionName": "EC2_Instance_Check",